LDAP authentication is limited hosts within campus only. This docunment explain the technical detail of LDAP authentication service.

NOTE: Web based application SHOULD NOT use this service.  Instead you should use CAS to authenticate your user, please reference to CAS of the Authentication service for more information.

Details


Available To

Departmental Technical Staff and hosts within campus

Service Fee


Service Hours


Getting Started

A formal request for access is required. The requesting entity must meet certain security criteria to get access to the LDAP service.  Please send email to cchelp@ust.hk with the information below to request the access

  • Email Subject: Request for LDAP authentication
  • Email Content:
    • 2 Technical contacts
    • Department which owned the application
    • Application description in brief
    • IP address(es) require LDAP authentication

After the request have been approved, a service account will be given to you.  And you could use the service account to access the LDAP service and authenticate the user.

Data Security


Details

LDAP Connection parameter

Host: openldap.ust.hk

Port: 389 for StartTLS, 636 for SSL (non-encrypted connection is not allowded)

Base DN: dc=ust,dc=hk

Scope: subtree

Filter: uid=<username>

Attribute stored

uid - ITSC network account name

mail - E-mail address of the user

sn - Surname

givenname - Given name

cn - Full name

departmentnumber - department code of the account belongs (e.g. ITSC, ISO, etc)

eduPersonAffiliation - account type: staff / undergrad / postgrad / department / project

eduPersonPrincipalName - <ITSC account name> + @ust.hk

LDAP Lockout Policy

User account will be lockout (ban for authenticate) after 10 incorrent login attempts in 1 minute.  After 2 minutes, the user's account will be unlocked and login attempts may continue.